Information about HeartBleed and IIS

The Heartbleed vulnerability in OpenSSL (CVE-2014-0160) has received a significant amount of attention recently. While the discovered issue is specific to OpenSSL, many customers are wondering whether this affects Microsoft’s offerings, specifically Windows and IIS.  Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.

We also want to assure our customers that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.   Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

This applies to all Windows operating systems and IIS versions, up to and including IIS 8.5 running on any of the following operating systems:

•             Windows Server 2003 and 2003R2
•             Windows Server 2008
•             Windows Server 2008R2
•             Windows Server 2012
•             Windows Server 2012R2

Customers running software on Windows that uses OpenSSL instead of SChannel (for example, running the Windows version of Apache), may be vulnerable.  We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider.  For more information and corrective action guidance, please see the information from US Cert here.

Comments

  • Anonymous
    January 01, 2003
    Great and valuable walk-thru. Thanks.
  • Anonymous
    January 01, 2003
    Answering Kumar's question: The vulnerability is not in the certificate itself, so copying a certificate from Apache to IIS doesn't cause it to become vulnerable. However, this is NOT advisable, because HeartBleed may have allowed someone malicious to compromise the Certificate's private key while it was being used on the Apache server. If so, that key can be used maliciously in several ways, and therefore, the certificate should be revoked and replaced as a precaution (just like your users should change their password on your site, if they had any)
  • Anonymous
    April 10, 2014
    Good to know - thanks
  • Anonymous
    April 10, 2014
    Just like any other project, open source software needs attention or problems like this get left in the wild for a very long time.
  • Anonymous
    April 10, 2014
    Don’t worry, if IIS was open source they’d be grabbing their ankles weekly.
  • Anonymous
    April 10, 2014
    That's nice??
  • Anonymous
    April 11, 2014
    Erez,
    Thank you for your post.
    It eliminated a lot of our customers' concerns.
  • Anonymous
    April 11, 2014
    What a hater! The only one grabbing their ankles has been OpenSSL users... for 10 years! You think being "open source" someone would have noticed and fixed it sooner.
  • Anonymous
    April 13, 2014
    The comment has been removed
  • Anonymous
    April 14, 2014
    Suppose, I exported a ssl server certificate with key, from apache to IIS ,then will my IIS become vulnerable to heartbleed?
  • Anonymous
    April 14, 2014
    Thanks Ben.But I am not very clear on this issue.Supposing I have a device or Server,which has some openssl modules If this version of openssl is vulnerable,then the PKI environment used when generating CSR would be susceptible to heartbleed attack.Is that right? or I need to correct myself.My initial thought was that any PKI certificate CSR generated using openssl of vulnerable versions are susceptible for heartbleed.
  • Anonymous
    April 15, 2014
    Check out the section titled "Is it only sites on Apache and nginx that are affected?" in this page: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html . Even if you have a farm of only IIS servers, if you have a load balancer in front of them, it might be running OpenSSL.
  • Anonymous
    May 03, 2014
    I have a windows server 2003 on our intranet network having application software in dotnet version, whether it will be affected by this vulnerability.
  • Anonymous
    May 05, 2014
    After my blog post on the topic , questions continue to flow about the effect it has on Windows, Azure
  • Anonymous
    May 05, 2014
    After my blog post on the topic , questions continue to flow about the effect it has on Windows, Azure
  • Anonymous
    May 08, 2014
    Ok what a sight what ever.q
  • Anonymous
    May 14, 2014
    OpenSSL Heartbleed Vulnerability not applicable to CIC
  • Anonymous
    May 18, 2014
    Pingback from Heartbleed og de forskjellige operativsystemene | Teknologia
  • Anonymous
    May 18, 2014
    Pingback from Heartbleed og de forskjellige operativsystemene | Teknologia
  • Anonymous
    November 10, 2014

    Is there a way to raise the buck Linux to these sites at one time?
    Thank you Will allow me to put some links to my website
    http://www.elnogom.com/شركة-مكافحة-حشرات-جده-مكه-الطائف/
    http://www.noornada.com/شركة-مكافحة-حشرات-بجده-ومكه/
    http://www.3elsyana.com/شركة-مكافحة-حشرات-بالرياض/
    http://www.manarah-sa.com/شركة-مكافحة-حشرات-بجدة-بمكه-بالدمام-ب/
    http://www.riyadh-jeddah.com/شركة-مكافحة-حشرات-بالرياض-بجدة/